- From: Per Østergaard <Per.Oestergaard@lego.com>
- Date: Mon, 6 Dec 2021 12:49:45 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <AM8PR05MB7361473AC8009820AB5026BF966D9@AM8PR05MB7361.eurprd05.prod.outlook.com>
Hi I was wondering why there is no default method. Without a default=() (e.g.. no permissions), our websites have to return a long list of deny permissions. Furthermore, this list needs to be updated whenever new permissions appears. IHO it would make much more sense to have a deny-all setting and open for the features we know our solution supports. In this way, we would also restrict any unauthorized code (injection attacks, supply chain attacks, content editors' HTML). How come this design was chosen and how can I influence the standard? Always have fun [LEGO] Per Østergaard Principal Engineer Digital Security Mobile +4540235746 E-mail Per.Oestergaard@lego.com<mailto:Per.Oestergaard@lego.com> LEGO System A/S Åstvej 7190 Billund Denmark Company: +45 79506070 www.LEGO.com<http://www.LEGO.com> LEGO and the LEGO logo are trademarks of the LEGO Group. ©2021 The LEGO Group. This email message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Received on Monday, 6 December 2021 21:18:30 UTC